When we allow multiple instances of the driver for the same user
account, using a separate root directory, we need to ensure mutual
exclusion. Use a pidfile to guarantee this.
In privileged libvirtd this ends up locking
/var/run/libvirt/secrets/driver.pid
In unprivileged libvirtd this ends up locking
/run/user/$UID/libvirt/secrets/run/driver.pid
NB, the latter can vary depending on $XDG_RUNTIME_DIR
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
When we allow multiple instances of the driver for the same user
account, using a separate root directory, we need to ensure mutual
exclusion. Use a pidfile to guarantee this.
In privileged libvirtd this ends up locking
/var/run/libvirt/qemu/driver.pid
In unprivileged libvirtd this ends up locking
/run/user/$UID/libvirt/qemu/run/driver.pid
NB, the latter can vary depending on $XDG_RUNTIME_DIR
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
We've been doing a terrible job of performing XML validation in our
various API that parse XML with a corresponding schema (we started
with domains back in commit dd69a14f, v1.2.12, but didn't catch all
domain-related APIs, didn't document the use of the flag, and didn't
cover other XML). New APIs (like checkpoints) should do the validation
unconditionally, but it doesn't hurt to continue retrofitting existing
APIs to at least allow the option.
While there are many APIs that could be improved, this patch focuses
on wiring up a new snapshot XML creation flag through all the
hypervisors that support snapshots, as well as exposing it in 'virsh
snapshot-create'. For 'virsh snapshot-create-as', we blindly set the
flag without a command-line option, since the XML we create from the
command line should generally always comply (note that validation
might cause failures where it used to succeed, such as if we tighten
the RNG to reject a name of '../\n'); but blindly passing the flag
means we also have to add in fallback code to disable validation if
the server is too old to understand the flag.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Similar to VIR_DOMAIN_DEF_PARSE_VALIDATE_SCHEMA; the next patch will
put it to use with a counterpart public API flag.
No need to change qemudomainsnapshotxml2xmltest to use the flag, since
the testsuite already has a separate virschematest that does the same.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
We no longer need to special-case xenUnified, since 1dac5fbbbb
dropped support for that naming scheme.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Previous commit:
commit faceedaf71
Author: Jonathon Jongsma <jjongsma@redhat.com>
Date: Tue Jun 18 11:13:12 2019 -0500
src/vz: use #pragma once in headers
accidentally chomped the "#" in a "#define" when re-indenting
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Support for the modern CPU_ALLOC macros was added 10 years ago in
commit a73cd93b24
Author: Daniel P. Berrange <berrange@redhat.com>
Date: Mon Nov 16 16:08:29 2009 +0000
Alternate CPU affinity impl to cope with NR_CPUS > 1024
This is long enough that we can assume it always exists and drop the
back compat code.
Reviewed-by: Martin Kletzander <mkletzan@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The previously added AMD SEV doc was not linked from anywhere on the
website. Address this by introducing a new "Knowledge base" section
that can hold task oriented guide to various features. Moving the SEV,
disk locking and secure usage guides under this section.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Continuous integration caught that although 'make syntax-check' was
sufficient to let me be aware that I had to change bhyve to use
s/virDomainShutdownEnsureACL/virDomainShutdownFlagsEnsureACL/, it was
not sufficient to note which ACL functions require 2 vs. 3 arguments
for flag validation.
Fixes: eded8aad
Signed-off-by: Eric Blake <eblake@redhat.com>
The @oldDef variable in libxlAddDom0() is not used really. Drop
it.
Signed-off-by: Michal Privoznik <mprivozn@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Even though we don't accept any flags, it is unfriendly to callers
that use the modern API to have to fall back to the flag-free API.
Note that virDomainBlockStats does not trivially forward to
virDomainBlockStatsFlags, so that one is omitted for now.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Even though we don't accept any flags, it is unfriendly to callers
that use the modern API to have to fall back to the flag-free API.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Even though we don't accept any flags, it is unfriendly to callers
that use the modern API to have to fall back to the flag-free API.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Even though we don't accept any flags, it is unfriendly to callers
that use the modern API to have to fall back to the flag-free API.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
When only geteuid() is mocked, the test crashes on Debian 10.
Fatal: failed to reset uid: No such file or directory
Program received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) t a a bt
Thread 1 (Thread 0x7ffff3b3e080 (LWP 12003)):
#0 __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff7798535 in __GI_abort () at abort.c:79
#2 0x00007ffff485ca20 in _gcry_logv (level=level@entry=40, fmt=fmt@entry=0x7ffff4929126 "failed to reset uid: %s\n", arg_ptr=arg_ptr@entry=0x7fffffffe4a0) at ../../src/misc.c:142
#3 0x00007ffff485cd61 in _gcry_log_fatal (fmt=fmt@entry=0x7ffff4929126 "failed to reset uid: %s\n") at ../../src/misc.c:218
#4 0x00007ffff48639d1 in lock_pool_pages (n=<optimized out>, p=<optimized out>) at ../../src/secmem.c:340
#5 _gcry_secmem_init_internal (n=<optimized out>) at ../../src/secmem.c:563
#6 0x00007ffff4863d78 in _gcry_secmem_init (n=4096) at ../../src/secmem.c:581
#7 0x00007ffff485e4e6 in _gcry_vcontrol (cmd=<optimized out>, arg_ptr=arg_ptr@entry=0x7fffffffe5e0) at ../../src/global.c:506
#8 0x00007ffff485a789 in gcry_control (cmd=cmd@entry=GCRYCTL_INIT_SECMEM) at ../../src/visibility.c:79
#9 0x00007ffff71af10f in ssh_crypto_init () at ./src/libgcrypt.c:621
#10 0x00007ffff7193796 in _ssh_init (constructor=constructor@entry=1) at ./src/init.c:79
#11 0x00007ffff71834de in libssh_constructor () at ./src/init.c:116
#12 0x00007ffff7fe437a in call_init (l=<optimized out>, argc=argc@entry=1, argv=argv@entry=0x7fffffffe778, env=env@entry=0x7fffffffe788) at dl-init.c:72
#13 0x00007ffff7fe4476 in call_init (env=0x7fffffffe788, argv=0x7fffffffe778, argc=1, l=<optimized out>) at dl-init.c:30
#14 _dl_init (main_map=0x7ffff7ffe190, argc=1, argv=0x7fffffffe778, env=0x7fffffffe788) at dl-init.c:119
#15 0x00007ffff7fd60ca in _dl_start_user () from /lib64/ld-linux-x86-64.so.2
#16 0x0000000000000001 in ?? ()
#17 0x00007fffffffea26 in ?? ()
#18 0x0000000000000000 in ?? ()
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
virsh snapshot-create-as supports 'file' storage type in --diskspec by default.
But it doesn't support 'block' storage type in the virshParseSnapshotDiskspec().
So if a snapshot on a block device (e.g. LV) was created, the type of
current running storage source in dumpxml is inconsistent with the actual
backend storage source. It will check file-system type mismatch failed
and return an error message of 'Migration without shared storage is unsafe'
when VM performs a live migration after this snapshot.
Considering virsh has to be able to work remotely that recognizing a block device
by prefix /dev/ or by stat() may be not suitable, so adding a "stype" field
for the --diskspec string which will be either "file" or "block".
e.g. --diskspec vda,snapshot=external,driver=qcow2,stype=block,file=/dev/xxx.
Signed-off-by: Liu Dayu <liu.dayu@zte.com.cn>
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Now that we no longer support sexpr conversion to the internal config we
can drop the test.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
We've dropped old xend support over a year ago. At this point we can
also drop support for parsing very old configs.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Use new coding style to merge the only use of xenFormatSxprSound into
the caller.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
The test was the only place calling 'xenFormatSxpr'. Drop it as there
are no other users of that code since we've dropped xend support in
commit 1dac5fbbbb.
Signed-off-by: Peter Krempa <pkrempa@redhat.com>
Reviewed-by: Ján Tomko <jtomko@redhat.com>
The docs talked about an active snapshot when they meant an active
domain; they also claimed the flag was a no-op for hypervisors with no
snapshot metadata even though the flag is currently rejected as
unrecognized for hypervisors with no snapshot support at all. A later
patch may teach more drivers to ignore the flag as a no-op, but that
shouldn't conflict with the wording chosen here (since a new client
talking to an old server still runs into the same issue, even if a
newer server becomes more tolerant).
Reported-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Make it obvious that the domainsnapshotxml2xml test is only run when
compiling in support for qemu.
Suggested-by: Peter Krempa <pkrempa@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
The virConnectGetType() method has an unfortunate signature, returning a
static string that must not be freed by the caller. The remote driver,
however, gets this string dynamically over an RPC call, which raised a
design discussion on the mailing list. Eventually the problem was
resolved by having the remote driver cache the returned string
internally and free it when the connection was closed.
The link to the mailing list is thus talking about a problem that does
not actually exist in the final implementation, and at best serves to
confuse the reader into thinking there might be a memory leak.
Reviewed-by: Ján Tomko <jtomko@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Neither the sasl_client_init or sasl_server_init methods are even
remotely threadsafe. They do a bunch of one-time initialization and
merely use a simple integer counter to avoid repeated work, not even
using atomic increment/reads on the counter. This can easily race in a
threaded program. Protect the calls using a virOnce initializer function
which is guaranteed threadsafe at least from libvirt's POV.
If the application using libvirt also uses another library that makes
use of SASL then the race still exists. It is impossible to fix that
fully except in SASL code itself.
Reviewed-by: Michal Privoznik <mprivozn@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Commit 44b8df4cb4 introduced a check for yajl.pc that is
extremely similar to the one we already had in place for
readline.pc - so similar, in fact, that it's still looking
for readline.pc instead of yajl.pc :)
Signed-off-by: Andrea Bolognani <abologna@redhat.com>
Reviewed-by: Daniel P. Berrangé <berrange@redhat.com>
Similar to commit a487890d for qemu, a little bit of refactoring in
the snapshot delete code will make it easier to reuse functionality
for checkpoints.
Signed-off-by: Eric Blake <eblake@redhat.com>
Acked-by: Peter Krempa <pkrempa@redhat.com>
Fix a filename and add a couple missing words.
Signed-off-by: Jonathon Jongsma <jjongsma@redhat.com>
Message-Id: <20190705192829.1223-1-jjongsma@redhat.com>
Signed-off-by: Eric Blake <eblake@redhat.com>
The 'tty' variable is only used on Win32. Instead of just annotating it
with ATTRIBUTE_UNUSED, make its declaration conditional on WIN32 so that
it is clear why it is not used.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Simplify the clean code paths for doRemoteOpen by using VIR_AUTOFREE
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The doRemoteOpen method was a little unusual in declaring a bunch of
local variables in the middle of the function. Move them to the top as
it is normal libvirt style.
Reviewed-by: Fabiano Fidêncio <fidencio@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
The qemusecuritytest is failing on FreeBSD 11/12, reporting that files
are not correctly restored. Debugging code printfs show that the
virFileGetXAttrQuiet mock is returning 0, but the virFileGetXAttr
function is seeing -1 as the return value.
Essentially there appears to be some kind of optimization between the
real virFileGetXAttrQuiet and the real virFileGetXAttr, which breaks
when we mock virFileGetXAttrQuiet. Rather than trying to figure out
how to avoid this, it is simpler to just mock virFileGetXAttr too
since it is very short code.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
There is an error path that jumps over the initialization of
nerrors, and the jump target reads the variable contents.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
Zero out the user provided memory in order to avoid potentially freeing
uninitialized memory.
Signed-off-by: Ilias Stamatis <stamatis.iliass@gmail.com>
Reviewed-by: Erik Skultety <eskultet@redhat.com>